Download presentation

Presentation is loading. Please wait.

1
**Merkle Puzzles Are Optimal**

Boaz Barak Mohammad Mahmoody-Ghidary TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAAAAAAAAAA

2
**Some faces of modern cryptography**

Merkle KA n2 sec, ideal OWF RSA TDP exp(n) sec, factoring* Naor-Yung SIG exp(n) sec, OWF* 1974 1976 1977 1978 1989 Diffie-Hellman KA exp(n), ~dlog* Rabin TDP ~exp(n), factoring Stone Age Fundamental Question: Is there OWF based KA with super poly security? Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n6 secure in black-box way. Why is it important?

3
**Some faces of modern cryptography**

Merkle KA n2 sec, ideal OWF RSA TDP exp(n) sec, factoring* Naor-Yung SIG exp(n) sec, OWF* 1974 1976 1977 1978 1989 Diffie-Hellman KA exp(n), ~dlog* Rabin TDP ~exp(n), factoring Stone Age Fundamental Question: Is there OWF based KA with super poly security? Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n6 secure in black-box way. Our Result: Improve IR89’s bound to n2 Theoretical motivation: power of interaction Practical motivation: rule out protocol w/ 109 operations 1054 security [Biham-Ishai-Goren08]

4
**Talk Plan Formal defs and model. Overview of Merkle’s Protocol**

Description of our attacking algorithm Analysis of attack.

5
**Formal Defs H Def: Key exchange protocol Alice Bob sA sB**

Correctness: Security: For every eavesdropping adv outputting sE Random oracle model: All parties have black-box access to a random function H:{0,1}n{0,1}n (same model, different motivation than [Bellare-Rogaway 93]) This talk: Complexity = # queries to H

7
**Our Result H Main Thm: 8 n-query protocol, 9 O((n/²)2)-query Eve s.t.**

Alice sA sB H Bob Our Result Main Thm: 8 n-query protocol, 9 O((n/²)2)-query Eve s.t. Pr[ sE = sA ] > Pr[ sA= sB ] - ² Def: q2{0,1}n is intersection query (IQ) for some execution of a protocol, if both Alice and Bob make the query q to H(). Main Thm follows from: Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve Pr[Eve makes all IQ’s] > 1 - ² Intuition: w.l.o.g, last queries of Alice and Bob are sA, sB.

8
**Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve**

Pr[Eve makes all IQ’s] > 1 – O(²) Alice sA sB H Bob Attack Algorithm: Can show: E[# Eve’s queries ] · O(n2/²) Need: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · ²/n Intuition: If Eve didn’t miss any IQ so far, it has as much chance at hitting Alice’s next query as Bob does.

9
**Lemma: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · 10²/n**

Proof attempt: Suppose not, Alice’s ith query q=qi is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non-shared locations. (*) Alice’s and Bob’s views are independent conditioned on Eve’s knowledge Bob’s view Fix Alice’s view A= (rA,hA) that still makes Pr[miss] > 10²/n (*) is false. Cause of [IR89]’s technical complexity: handled by making more queries, show non-independence Eve “makes progress” per query. We show directly that views are close to being independent. (small mutual information) Alice’s view ¹ ( ) ¸ 10²/n But then>²/n overall prob that q asked by Bob- contradiction! Bad set

10
**Lemma: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · ²/n**

Proof attempt: Suppose not, Alice’s ith query q=qi is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non-shared locations. (*) Alice’s and Bob’s views are independent conditioned on Eve’s knowledge Bob’s view Fix Alice’s view A=(rA,hA) that still makes Pr[miss] > 10²/n Alice’s view We show: 8 A,B ¹( ) >5²/n Implies Bad set

11
**Views are “almost” independent**

Depends only on |rA|,|QA| Depends only on |rB|,|QB| Thus theorem follows from: Cor: Probabilities in product and non-product are same up to mult factor of 0.99

12
N M ®M

13
**Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve**

Pr[Eve learns all IQ’s] > 1 – O(²) Alice sA sB H Bob Attack Algorithm: Proved: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · 10²/n Cor: Pr[ Eve misses some IQ ] · 10² Left to do: E[# Eve’s queries ] · O(n2/²)

14
**Efficiency of attack Attack Algorithm:**

Left to do: E[# Eve’s queries ] · O(n2/²) Lemma: E[# Eve’s queries ] · O(n2/²)

15
Open Questions O(n2) bound for random permutations (we improve [IR89]’s O~(n12) bound to O(n4)) can also consider ideal cipher, other “symmetric” primitives. Rule out a construction with non-trivial (i.e., !(n) ) security w.r.t. quantum adversaries?? Find non-black-box constructions of key exchange from one-way functions, or other “unstructured” assumptions.

Similar presentations

OK

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

OPENING THE BLACK BOX Boaz Barak Institute for Advanced Study Princeton, NJ New Techniques in Cryptography.

© 2018 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google